[OT] CVSUP (was "Re: Was: Re: Why This Infinite Loop??")

Garrett Cooper youshi10 at u.washington.edu
Tue Aug 22 18:03:52 UTC 2006

On Aug 22, 2006, at 12:19 AM, Erik Trulsson wrote:

> On Tue, Aug 22, 2006 at 06:38:46AM +0100, Matthew Seaman wrote:
>> Lowell Gilbert wrote:
>>> Garrett Cooper <youshi10 at u.washington.edu> writes:
>>>> Gerard Seibert wrote:
>>>>> IMHO, it might be a lot easier for him to use portsnap. Especially
>>>>> if he is not familiar with the FBSD ports system. Just my opinion
>>>>> though.
>>>>    CVSUP isn't that difficult IMHO to learn, and is a better, more
>>>> efficient way to download the ports Makefiles.
>>> In what way?  For typical applications, lower bandwidth usage is
>>> supposedly an advantage of portsnap.
>>>>                                                It will take him  
>>>> all of
>>>> 10-20 minutes to configure if he reads the documentation and  
>>>> uses the
>>>> example file.
>>> I would think so.  And it can be used with arbitrary cvs trees,
>>> including the FreeBSD source tree.  On the other hand, it doesn't
>>> come in the FreeBSD base system, and it doesn't sign the updates.
>> But csup(1) is in the base system for values of base system equal to
>> 6.1-STABLE or better.  csup(1) is cvsup(1) reimplemented in plain C
>> and apart from the graphical display stuff is a drop in replacement
>> for cvsup(1).
> Not quite a drop in replacement.  csup(1) does not (yet) support  
> CVS mode
> which is used to maintain a local copy of the repository.

I did a bit of searching and it appears that my thoughts on how CVSUP  
is implemented are slightly skewed. From the portsnap developer's page:

-CVSup is insecure. The protocol uses no encryption or signing, and  
any attacker who can intercept the connection can insert arbitrary  
data into the tree you are updating.
-CVSup isn't end-to-end. Related to the previous point, this means  
that anyone who can compromise a CVSup mirror can feed arbitrary data  
to the people who are using that mirror.
-CVSup isn't designed for frequent small updates. While CVSup is very  
good at distributing CVS trees, and is very efficient for updating a  
tree which has been significantly changed (eg, by a month or more of  
commits), it transmits a list of all the files in the tree, which  
makes it quite inefficient if only a few files have changed.
-CVSup uses a custom protocol. This can cause problems for people  
behind firewalls -- outgoing connections on port 5999 need to be  
permitted -- and it needs a heavyweight server (cvsupd).

The first and fourth points are the ones I noted as the flaw in my  
original argument of the overall operation of CVSUP vs portsnap. I  
thought that CVSUP actually used the CVS protocol to transfer data,  
which can encrypt data using SSH tunneling but it actually doesn't  
and is very insecure =\. Noting that portsnap fetches all files via  
fetch with ssl support enabled as well by quickly reading through the  
portsnap script, it is much more secure than CVSUP is.

The only thing to note is that you still need to use CVSUP to update  
your base package sources, as there isn't a compressed, fetching  
equivalent like portsnap available for the sources.

Although this would have been more efficient for beno because it  
sounds like his ports tree hasn't been updated in ages, portsnap  
would be better to use in the future for updating his ports tree.


More information about the freebsd-questions mailing list